Proactively Hardening Systems: Defining the Attack Surface

Let’s start with a seemingly simple question: Why protect your assets from intrusion at all? While there are many ways to answer this question, they all amount to ensuring that you, as the owner of that asset, receive the maximum amount of its value.

That might sound strange, but consider that an intruder, through compromise of an asset, is really using it for his own gain. That could be through copying of valuable data, or through direct use of computing resources, or through that asset’s access to other, more valuable assets.

Regardless of the details, we’re really still talking about functional value and ownership. With this in mind, that we’re protecting the asset’s value for ourselves, we can examine how an asset might be compromised.

It’s important to understand that every point of interaction with an asset is a vector for compromise. Whether it’s a remotely available service, or a locally available login, or even physical access, all of these points of interaction offer a means for an attacker to potentially utilize that asset’s value.

By combining an understanding of asset value to the organization, and the sum total of access vectors, we can lay out a path to proactively hardening systems against intrusion through the measurement of attack surface and diligent reduction of the same.

Defining Attack Surface

It’s tempting to assume a one to one relationship between attack surface and vulnerability, and to conclude that vulnerability management is the means by which one can measure attack surface, but we should be very careful not to confuse vulnerability with attack surface, nor to confuse either of the two with risk.

A vulnerability is a defect in software, at least in the context of information security, and it’s paired with a exploit as the means to exercise that vulnerability to some end. Risk is a broad term that represents anything that may adversely affect your business. There are many kinds of risk, including financial risk, human risk, compliance risk and vulnerability risk.

Where does attack surface fit in? As we described above, a system’s attack surface is the sum total of its available points of interaction. Any of the attack surface may present access to a vulnerability, or a misconfiguration or even a fully authenticated and authorized interaction. After all, attack surface is not limited to exploit, but is the primary vector for the realization of all kinds of risk.

Every point at which the device may interact with the outside world is part of its attack surface, and each presents some amount of risk. There are varying consequences of that risk being realized. For example, an attacker might physically damage the access point, creating a denial of service. It might be misconfigured allowing unauthorized use.

It might be intentionally compromised allowing for malicious data collection. You can probably imagine a number of additional examples, but the point is that the attack surface isn’t limited to vulnerabilities or misconfigurations, but is ultimately the complete collection of possible points of interaction.

That is, of course, a single, relatively simple device. Consider the points of interaction presented by the average laptop. You can then extrapolate the concept to a network full of devices, and ultimately to the business systems that those devices collectively make up. As you can see, conceptually, attack surface gets very complex, very fast.

In the next installment, we will examine strategies to actively reduce the attack surface…

This publication is designed to assist executives by providing guidance for implementing broad baseline technical controls that are required to ensure a robust network security posture.

The author, a security and compliance architect, examined each of the Controls and has distilled key takeaways and areas of improvement. At the end of each section in the e-book, you’ll find a link to the fully annotated complete text of the Control.

Each year, numerous industry research reports provide budget forecasting on expected spending for worldwide IT. Some add a focus within specific industries as well as technologies, but very few focus strictly on IT security.

Bringing a few of the most notable reports together provides a valuable roundup of information for IT operations, including forecasts of IT security spending.

This may be a time-saver for busy CIOs and CISOs and their teams who are seeking data to compare, support and defend possibly thin IT security budgets, or a needed increase to meet business priorities.

This report is organized to review what the research shows, business priorities and trends to tap, and strategies on how to defend your numbers.